On 2012-05-16 15:24 , Mann, Dave wrote:
> Kent Landfield wrote:
>> Yes I fully understand what you are asking is necessary but I think we need
>> to look at the root cause for these questions. Am I correct in asserting
>> that this is a our funding issue? If you had twice the funding, would we
>> be having this conversation ?
> The feeling by everybody on the CVE team is that CVE is not keeping up with the need (whatever "the need" is) and we know that staffing, resources and process changes will all need to be considered as a part of any solution. In fact, we've been publicly discussing the issue of CVE staffing levels on this list. Last September, in response to questions about CVE's staffing levels, I wrote:
>
> "There is no rational way to say that CVE's resourcing level is too low or too high unless we can compare CVE's performance to an agreed upon set of "must have" goals in terms of information sources and products covered."
>
> We stand by this statement. While we need to discuss staffing, we must address the core issue, which is the fact that the vulnerability disclosure landscape has evolved and the CVE project needs to evolve in light of this. Here are three of the changes we see, all of which lead us back to the core question of CVE's scope:
I've been catching up on this list out of order...
I'll suggest again that the board come up with "coverage, speed, and
quality" (maybe there are other measures?) and say "This is what CVE
should be." Or "This is what CVE should be, this is what it must be or
it will no longer function."
The current discussion seems to be about trying to achieve or define
minimal coverage.
> For the first time in our history, we need to more explicitly define the scope of CVE. We must and will talk about staffing levels, quality, process changes and the implications these all have on standardization efforts. But we believe that if CVE is to survive in a new landscape, we first need to agree on its scope.
Yes. So let's work on the scope we really think CVE should have,
partially ignoring for the moment effort/funding, the difficulties of
tracking Linux packages, and ranking vulnerability information sources.
I've joked around about this before, but I wonder what would happen if
CVE went dark for a month. CVE has become an infrastructural standard,
so it is IMO greatly under-appreciated by a lot of folks who actually
benefit from it.
- Art